feat: Trivy Pre-Commit Hook with Security Scanning

[cebidhem]

Summary

This PR introduces a comprehensive pre-commit hook that integrates Trivy security scanning to automatically detect vulnerabilities before commits are finalized. The implementation includes a Python-based hook with extensive configuration options, comprehensive test coverage, and CI/CD automation.

Key Features

🔒 Core Functionality

• Automated Security Scanning: Runs Trivy filesystem scans on every commit
• Configurable Severity Levels: Filter vulnerabilities by severity (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL)
• Multiple Scanners: Support for vulnerability, misconfiguration, secret, and license scanning
• Flexible Output Formats: Table, JSON, SARIF, SBOM (CycloneDX/SPDX), and GitHub formats
• Dependency Tree Visualization: Optional --dependency-tree flag to show vulnerability chains

🛠️ Configuration Options

All options are customizable via command-line arguments:

• --severity: Severity filtering (default: HIGH,CRITICAL)
• --format: Output format (default: table)
• --scanners: Scanner types (default: vuln)
• --dependency-tree: Show dependency tree with vulnerabilities
• --skip-db-update: Skip database updates for faster scans
• --timeout: Scan timeout configuration
• --ignore-unfixed: Ignore unfixed vulnerabilities
• --trivyignore: Custom ignore file support
• --config: Custom Trivy configuration file

✅ Quality Assurance

• Comprehensive Test Suite: 28 tests with 94% code coverage
• Code Quality: 10.00/10 pylint score
• Automated CI/CD: GitHub Actions workflow for testing and linting
• Modern Python Practices: Type hints, docstrings, and clean code structure
• Dependency Management: Pinned dependencies using uv with lock file

📦 Implementation Details

Files Added:

• pre_commit_hooks/trivy_scan.py - Main hook implementation (212 lines)
• tests/test_trivy_scan.py - Comprehensive test suite (283 lines)
• tests/conftest.py - Pytest fixtures and configuration
• .pre-commit-hooks.yaml - Pre-commit framework integration
• .github/workflows/ci.yml - CI/CD automation
• pyproject.toml - Project metadata and tool configuration
• uv.lock - Locked dependencies for reproducibility
• .pylintrc - Linting configuration
• .trivyignore.example - Example vulnerability ignore file
• trivy.yaml.example - Example Trivy configuration
• README.md - Comprehensive documentation

Recent Fixes:

• ✅ Updated deprecated pre-commit stage name from commit to pre-commit (fixes compatibility warning)
• ✅ Added .gitignore entries for cache and IDE files

Usage

As a Pre-commit Hook

Add to .pre-commit-config.yaml:

repos:
  - repo: https://github.com/cebidhem/pre-commit-trivy
    rev: v0.1.0  # Use the latest release
    hooks:
      - id: trivy-scan
        args: ['--severity', 'HIGH,CRITICAL']

Standalone

pip install pre-commit-trivy
trivy-scan --severity CRITICAL --format json

Testing

All validation commands pass successfully:

# Code formatting
✓ black --check pre_commit_hooks tests

# Code quality  
✓ pylint pre_commit_hooks (10.00/10)

# Test suite
✓ pytest tests/ --cov=pre_commit_hooks (28 passed, 94% coverage)

CI/CD

GitHub Actions workflow runs on every push and PR:

• ✅ Black formatting checks
• ✅ Pylint code quality checks
• ✅ Pytest with coverage reporting
• ✅ Multi-version Python testing (3.9, 3.10, 3.11, 3.12)

Breaking Changes

None - this is the initial release.

Dependencies

• Runtime: None (uses stdlib only)
• Development: pytest, pytest-cov, black, pylint
• External: Requires Trivy to be installed separately

Documentation

Complete documentation includes:

• Installation instructions (pre-commit and standalone)
• Configuration options reference table
• Usage examples for common scenarios
• Development setup guide
• Contributing guidelines
• Links to Trivy documentation

Commits Included

• feat: implement Trivy pre-commit hook with security scanning
• chore: add uv.lock file with pinned dependencies
• fix: update pre-commit stage name from deprecated 'commit' to 'pre-commit'
• feat: add --dependency-tree flag to display vulnerability dependency tree
• chore: add to .gitignore

Related Issues

Closes #1 - Implement Trivy pre-commit hook
Closes #3 - Fix deprecated pre-commit stage name

---

Ready for Review: All tests passing, documentation complete, CI/CD configured.

[Copilot]

Pull Request Overview

This PR introduces a comprehensive pre-commit hook for Trivy security scanning with extensive configuration options, automated vulnerability detection, and high-quality test coverage. The implementation provides a production-ready tool for integrating security scanning into development workflows.

Key Changes

• Implemented Python-based Trivy pre-commit hook with configurable severity levels, output formats, and scanner types
• Added comprehensive test suite achieving 94% code coverage with 28 tests
• Configured CI/CD pipeline for automated testing and code quality checks across Python 3.9-3.12

Reviewed Changes

Copilot reviewed 12 out of 14 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
pre_commit_hooks/trivy_scan.py	Core hook implementation with argument parsing and Trivy scan execution
pre_commit_hooks/init.py	Package initialization with version metadata
tests/test_trivy_scan.py	Comprehensive test suite covering all hook functionality
tests/conftest.py	Pytest fixtures for mocking Trivy installation and subprocess calls
tests/init.py	Test package initialization
.pre-commit-hooks.yaml	Pre-commit framework integration configuration
.github/workflows/ci.yml	GitHub Actions workflow for CI/CD automation
pyproject.toml	Project metadata, dependencies, and tool configurations
.pylintrc	Pylint code quality configuration
trivy.yaml.example	Example Trivy configuration file
.trivyignore.example	Example vulnerability ignore file
README.md	Complete documentation with usage examples and development guide

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}